There are many reasons why a service organization may decide to obtain a service audit report; here are some of the reasons we often see:
Customer requests
- A customer requests a report because they are outsourcing a key business process and they need to understand the controls at the service bureau as part of their internal Sarbanes-Oxley (SOX) compliance program
- Customer wants to understand outsourced controls as part of their internal vendor management/due diligence program
- A large customer required this in their written contract (it is sometimes added when trying to make the sale)
- The company is losing business to competitors because they don’t provide a Service Organization Control (SOC) report
- The company realizes that they are getting audited by several companies during the year, which they could potentially eliminate with a SOC audit
Benefits of an Independent SOC 1, 2 or 3 Audit:
- Instant credibility
- Independent assessment of controls to give to customers annually
- Potential to win more business (many companies require a SOC audit as a contractual obligation)
- Reduction of third-party self-assessment questionnaires
- One audit report to satisfy multiple customers
Examples of Organizations That Might Request a SOC Audit:
- Cloud Hosting Service Providers
- Technology Service Providers (TSPs)
- Application Service Providers (ASPs)
- Software-as-a-Service (SaaS)
- Third-Party Administrators
- Payroll Providers
- Professional Employer Organizations (PEOs)
- Collection Companies
- Data Center and Co-lo (co-location) Services
- Managed Service Providers
- ACH Processors
- Health Care Claims Processors
- Prescription Benefit Management Service Providers (PBMs)
- Financial Services Technology Service Providers (e.g., remote deposit capture service provider)
Services We Provide:
- Readiness Services – Which audit is right for your customers? Do you have the right controls in place for a successful result?
- SOC 1 and SOC 2 Audits – Either for a point in time (Type I) or covering a period of time (Type II).